Asymmetric cryptosystem employing paraunitary matrices

ABSTRACT

Disclosed are multivariate paraunitary asymmetric cryptographic systems and methods that are based on paraunitary matrices. An algebraic approach is employed in designing the multivariate cryptographic systems and methods. The cryptographic systems and methods are based on formulating a general system of multivariate polynomial equations by paraunitary matrices. These matrices are a family of invertible polynomial matrices that can be completely parameterized and efficiently generated by primitive building blocks. Using a general formulation that involves paraunitary matrices, a one-way function is designed that operates over the fields of characteristic two. To include a trapdoor, approximations are made to the paraunitary matrix. The result is a trapdoor one-way function that is efficient to evaluate, but hard to invert unless secret information about the trapdoor is known. An exemplary implementation operates on the finite field GF(256). In this example, the message block includes 16 to 32 symbols from GF(256), i.e., the block size n is an integer between 16 and 32. The ciphertext block takes its elements from the same field and has at least 10 extra symbols.

BACKGROUND

The present invention relates generally to cryptographic primitives and more particularly, to public-key (asymmetric) cryptographic systems and digital signature algorithms that are based on paraunitary matrices.

The principal of public-key cryptography involves exchanging information between parties without requiring a secure channel. Public-key cryptography is different from secret-key cryptosystems in which both parties must share a secret key. In a public-key system, each party has a pair of secret and public keys. Everyone can send encrypted message to a designated party using its public key. However, only the designated party can decrypt using his corresponding secret key. Public-key systems are used for the exchange or the distribution of secret keys that are used in symmetric cryptosystems. Except for the key exchange, other applications of public-key cryptography are digital signature and data authentication schemes. A well-known public-key cryptosystem, RSA, uses a univariate monomial over a very large ring. The public key consists of the exponent of a monomial and a composite number obtained by multiplying two large prime numbers. The security of RSA is believed to be based on the problem of factoring large composite numbers. Although after its conception in 1978, RSA has not been broken yet, there are some practical problems in its implementation. The first problem is the key-setup time that is too long for computationally-limited processors used in some applications such as pervasive computing. For example, it takes tens of minutes on a Palm V that uses a 16.6 MHz Dragonball processor to generate 1024 bits RSA key. Another problem is the size of the key that is too long in applications where bandwidth is limited. It must also be increased every year because of improvements in the factorization algorithms and computational power. Currently, the minimum recommended size of RSA key is 1024 bits. As suggested by Schneier in Applied Cryptography: Protocols, Algorithms, and Source Code in C.” 2^(nd) ed. Mew York, Wiley. 1996, the minimum size must be 4096 bits by 2015 and 8192 bits by 2025. This implies more complicated computations and longer key-setup time in the future.

In an attempt to remedy these problems, two paths are taken: 1) using monomials as the public key and hiding information in the exponent that leads to the discrete logarithm over complicated groups (e.g., points on elliptic curves) and 2) considering multivariate polynomials over small fields (e.g., GF(2^(m)) for some small m). Comparing to RSA, systems based on the discrete logarithm over elliptic curves are able to maintain the same security level with shorter key sizes. Hence, elliptic curve cryptography (ECC) seems to be suitable for devices with low computational power such as smart cards. However, ECC also has some problems and drawbacks. The shortest signature that one can generate using an elliptic curve digital signature algorithm (ECDSA) is 320 bits, which is still long for many applications. Elliptic curves over fields of characteristic two can be easily implemented in hardware, but in order to maintain security, one must employ a very large finite field, which implies a long signature. The Koblitz curves are special elliptic curves used to reduce the complexity of ECC. However, some cryptographers are concerned that the special structure in these curves (to facilitate an efficient implementation) may actually be used to efficiently attack them. Another problem is the complexity of the elliptic curve signature-verification algorithm. A comparison between ECDSA and RSA in a field with prime characteristic shows that for practical sizes of fields and moduli, signature verification with ECDSA is 40 times slower than that using RSA.

Considering the shortcomings of the RSA and ECDSA, it would be desirable to have practical cryptosystems based on problems other than the assumptions currently in use. One might be in a safer state against possibilities such as the emergence of an efficient algorithm for factoring or computing discrete logarithms. An alternative approach is multivariate cryptography that includes systems based on multivariate polynomials over small fields. Multivariate cryptography is considered to be the cryptography of the 21^(st) century. Cryptosystems based on multivariate polynomials over small fields are faster than RSA and ECC. These are schemes whose public information is a set of multivariate polynomials. Their security is based on the difficulty of solving systems of multivariate polynomial equations. The main challenge in designing such systems is including a trapdoor in the public polynomials without using polynomials with very specific forms. However, systems of random polynomials are usually very hard to invert as this difficulty is the security basis of multivariate cryptosystems. To solve this paradigm, schemes have been proposed whose public polynomials are attempted to look random while the special structure is somehow hidden from the view of cryptanalyst. For example, hidden field equations (HFE) scheme uses a quadratic univariate monomial over an extension field of a small finite field. The representation of the monomial over the small field gives a set of quadratic homogenous polynomials. Unfortunately, this scheme and many of its variants have been broken because of the special form of the public polynomials. There are some other designs, which are reviewed below, that are all broken.

Previous Work in Multivariate Cryptography

The outline of a public-key cryptosystem based on iterative polynomial substitution is discussed by H. Fell et al., in “Analysis of a public key approach based on polynomial substitution,” Adv. Cryptol.—CRYPTO'85, 1986, vol. 218, Lecture Notes in Computer Science, pp. 340-349. The idea is attractive and simple, but as the authors mention, the number of terms in polynomials astronomically increase even after a few iterations. A few solutions are provided to limit the number of terms, but some solutions are not very practical and none of them gives an efficient cryptosystem.

The idea of using homogenous quadratic polynomials as the public information is discussed by T. Matsumoto et al., in “Public quadratic polynomial-tuples for efficient signature-verification and message-encryption,” Adv. Cryptol.—EUROCRYPT'88, Berlin, Germany, 1988. To generate the public polynomials, an invertible quadratic monomial over GF(q^(n)), a degree n extension field of GF(q), is chosen. Here, q is a power of 2. The field GF(q) can be considered as an n-dimensional vector space over GF(q). Using basis vectors, the quadratic monomial is converted to n quadratic homogenous polynomials in n variables. The encryption is performed by evaluating public polynomials at the plaintext block. For decryption, the ciphertext block is transformed back to GF(q^(n)) and the monomial is inverted. Unfortunately, this scheme has been broken because of some unexpected algebraic relations.

Two generalizations of this scheme, called hidden field equations (HFE) and isomorphisms of polynomials (IP) were developed. The HFE scheme has been broken. The attack uses the simple fact that every quadratic homogenous multivariate polynomial has a matrix representation. Using this representation, a highly overdefined system of quadratic homogenous equations in the secret information is obtained. A new technique called relinearization for solving such systems was proposed by Kipnis. Running numerous experiments showed that this technique for solving overdefined systems of homogenous quadratic polynomials is not as efficient as one may expect. Hence, it was improved as XL and FXL algorithms. These algorithms are efficient only when the number of polynomial equations is proportional to the square of the number of unknown variables.

Other attacks on the HFE scheme have been developed. These attacks take advantage of the special format of the public polynomials. The latest attack on the HFE family is the fast algorithm of Faugere for computing Groibner basis. It has been shown that the system of public polynomials of HFE can be solved in a reasonable time using this algorithm.

The signature scheme QUARTZ is based on a variant of HFE. QUARTZ can generate signatures of length 128 bits with the security level 2⁸⁰. The security of QUARTZ is studied by Courtois and some generic attacks are provided. The signature schemes FLASH and SFLASH are based on the C*⁻⁻ algorithm that can be regarded as a special case of the more general HFE scheme. It was claimed that these schemes can generate signatures of lengths 296 and 259 bits with the security level 2⁸⁰, respectively. However, SFLASH has been broken.

A signature scheme based on birational permutations is based on using a quadratic homogenous tame automorphism and hiding its coefficients by applying two affine transforms one at the input and one at the output. The public key in this scheme consists of a number of multivariate quadratic polynomials over the ring Z_(n) where n=pq is a positive composite integer consisting of two distinct large prime factors p and q. Although the security of this scheme is based on the integer-factorization problem, it can be regarded as a multivariate cryptographic scheme because of its structure. This scheme has been broken by Coppersmith.

A public-key cryptosystem and signature scheme based on the composition of four tame automorphisms, called tame transformation method (TTM), was introduced by Moh. This scheme was broken by Goubin where the cryptanalysis is reduced to an instance of the MinRank problem that can be solved in feasible time.

BRIEF DESCRIPTION OF THE DRAWINGS

The various features and advantages of the present invention may be more readily understood with reference to the following detailed description taken in conjunction with the accompanying drawings, wherein like reference numerals designate like structural elements, and in which:

FIG. 1 illustrates construction of an exemplary paraunitary asymmetric cryptographic system;

FIG. 2 is a flow diagram that illustrates encryption and decryption operations in an exemplary paraunitary asymmetric cryptographic method.

FIG. 3 illustrates construction of an exemplary digital signature system; and

FIG. 4 is a flow diagram that illustrates the signature generation and verification of an exemplary digital signature method.

DETAILED DESCRIPTION

Referring to the drawing figures, disclosed are public-key asymmetric cryptographic systems and methods and digital signature systems and methods that employ paraunitary matrices. Two papers by the present inventors are incorporated herein in their entirety by references. These are “Public-Key Cryptography Using Paraunitary Matrices,” IEEE Transactions on Signal Processing, Vol, 54, No. 9, September 2006, and “Multivariate Signature Using Algebraic Techniques,” ISIT 2006, Seattle, USA, Jul. 9-14, 2006.

Public-Key Cryptography

Public-key cryptography is usually used to exchange secret keys between two parties who have had no prior acquaintance. The secret key is used for encrypting information using secret-key cryptosystems. The reason public-key cryptosystems are not used to encrypt all information is that they are usually much more computationally complex whereas secret-key cryptosystems are much faster.

FIG. 1 illustrates an exemplary paraunitary asymmetric cryptographic system 10. In the system 10, a document or information, referred to as plaintext (x), is encrypted to produce the ciphertext (y). Encryption is performed using a paraunitary matrix and a bijection polynomial vector.

Paraunitary matrices are used for the very first time to design public-key cryptosystems. The paraunitary asymmetric cryptosystem (PAC), at the core, comprises of a paraunitary (PU) matrix over a Galois field specifically GF(256). To define a paraunitary matrix, consider a polynomial matrix P(x), i.e., a matrix of the form

${P(x)} = \begin{bmatrix} {p_{11}(x)} & \cdots & {p_{1n}(x)} \\ \vdots & ⋰ & \vdots \\ {p_{n\; 1}(x)} & \cdots & {p_{nn}(x)} \end{bmatrix}$

in which x is a short form for representing n variables (x₁, . . . , x_(n)) and p_(ij)(x)'s are all polynomials in n variables. Such a matrix is paraunitary if and only if

P ^(T)(x ₁ ⁻¹ , . . . , x _(n) ⁻¹)P(x ₁ , . . . , x _(n))=I

where the superscript T denotes the matrix transposition and I is the identity matrix.

In the following, a very simplified description of the PAC is provided (with some mathematical details trimmed off). To specify the PAC for his own use, an identity A takes the following steps.

(1) Deigns a paraunitary matrix P(x) in n variables

(2) Designs a polynomial vector (a vector with its entries being polynomials) t(x) such that it is a bijection, i.e., knowing (y₁, K, y_(n))=t(x₁, K, x_(n)), one uniquely determines the values of x₁, . . . , x_(n).

(3) Carries out the following multiplication (masking)

${\psi_{A}(x)} = {\begin{bmatrix} {\psi_{1}(x)} \\ \vdots \\ {\psi_{n}(x)} \end{bmatrix} = {\begin{bmatrix} {p_{11}(x)} & \cdots & {p_{1n}(x)} \\ \vdots & ⋰ & \vdots \\ {p_{n\; 1}(x)} & \cdots & {p_{nn}(x)} \end{bmatrix}\begin{bmatrix} {t_{1}(x)} \\ \vdots \\ {t_{n}(x)} \end{bmatrix}}}$

(4) Makes the polynomial vector ψ_(A)(x) public and keeps the paraunitary matrix P(x) secret.

Everyone can encrypt information and send to A. To encrypt a message x (also referred to as the plaintext), one simply evaluates the polynomials ψ₁(x), K, ψ_(n)(x) at x. Let y=Enc_(A)(x) denote the encryption algorithm provided by A.

As is illustrated in FIG. 1, Plaintext x→Enc y=ψ_(A)(x)→ciphertext y.

The decryption process requires knowledge of the secret information that consist of the PU matrix P and the polynomial vector t. Hence, it cannot be performed by everybody, except A. Let SA denote the secret information of A. The decryption algorithm is represented by x=Dec_(SA)(y).

Key exchange between two parties through public-key cryptography, in its simplest form, is as follows. Consider two parties A and B. One of them, say A, randomly picks a secret key k. Moreover, A obtains the authentic encryption algorithm of B from a trusted third party. A sends y=Enc_(B)(k) to B. Upon receiving y, B retrieves the secret key through k=Dec_(SB)(y).

FIG. 2 is a flow diagram that illustrates operations in an exemplary paraunitary asymmetric cryptographic method 20. FIG. 2 also illustrates components of the system 10. The exemplary system 10 and method 20 may be implemented as follows.

Apparatus is provided for creating 21 a paraunitary matrix over a field of characteristic two. Apparatus is provided for creating 22 a polynomial vector whose entries are polynomials and which is a bijection. Apparatus is provided for creating 23 a polynomial vector that is formed by multiplying the paraunitary matrix by the polynomial vector. Apparatus is provided for making 24 the polynomial vector public. Apparatus is provided for encrypting 25 the plaintext information using the public polynomial vector. Apparatus is provided for decrypting 26 the encrypted plaintext information using the secret paraunitary matrix.

The exemplary public-key cryptographic method may be implemented as follows. A paraunitary matrix over a field having characteristic two is defined. A plaintext vector x is generated. The plaintext vector x is masked by evaluating a bijective vector at x and multiplying the result by the paraunitary matrix evaluated at x.

Digital Signature Algorithms

One of the applications of public-key cryptography is the design of digital signature schemes. Since the length of the signature is desirable to be independent of the document length, a short digest of the document to be signed is generated using a hash function. A hash function or message digest code (MDC) generates a short constant-length digest of its input. To simplify explanations, it is assumed that x is the hash of the document to be signed and y is the signature.

The main idea in the design of a signature scheme is as follows. Consider an identity A with the encryption algorithm Enc_(A)(•) and the decryption algorithm Dec_(SA)(•). To sign x, A uses his decryption algorithm to generate the signature y as follows.

y=Dec _(SA)(x).

Then, A provides y as the signature and Enc_(A)(•) as the verification algorithm (public information). Note that x is also available to public. The verification of a signature y′ is performed as follows.

Verified if x=Enc_(A)(y′)

Unverified if x≠Enc_(A)(y′)

By this description, only A can generate an authentic signature while everyone else can verify the generated signature.

Referring to FIG. 3, it illustrates an exemplary digital signature system 30. The exemplary system 30 comprises an encryption algorithm 31 and the corresponding decryption algorithm 32. Apparatus 33 is provided for generating a hash of an electronic document that is to be signed. Apparatus 34 (including the decryption algorithm 32) is provided for generating a signature (y) for the electronic document by decrypting the hash using the decryption algorithm. Apparatus 34 is provided for transmitting the signature, the hash, and the encryption algorithm. Apparatus 35, 36 are provided for encrypting 35 the transmitted signature and comparing 36 the result with the hash to verify the signature.

FIG. 4 is a flow diagram that illustrates an exemplary digital signature method 40. The method 40 may be implemented as follows. At a first site, an encryption algorithm and the corresponding decryption algorithm are provided 41. A hash of an electronic document that is to be signed is generated 42. A signature for the electronic document is generated 43 at the first site by decrypting the hash using the decryption algorithm. The signature, the hash, and the encryption algorithm are transmitted 44 to a second site. The transmitted signature is encrypted 45 at the second site and the result is compared 46 with the hash to verify the signature.

The Cryptographic System

Disclosed is a novel approach for deigning practical public-key cryptosystems. In this approach, paraunitary (PU) matrices are employed to design a one-way function (OWF). The entries of a PU matrix are polynomials with coefficients from a finite field. By their definition, all such matrices are invertible, and obtaining their inverses requires no computation. To include a trapdoor in the OWF, some simplifications in the PU matrix employed in the design of the OWF are made. The difficulty of inverting the designed OWF is connected to the difficulty of solving systems of multivariate polynomial equations over finite fields. To establish this connection, it is shown that any system of multivariate polynomials is expressible in terms of PU matrices. This relationship along with some mathematical conjectures provide enough evidence for the computational security of the trapdoor OWF.

A paraunitary asymmetric cryptosystem (PAC) is provided that is based on the developed trapdoor OWF. The public key in the paraunitary asymmetric cryptosystem consists of a number of multivariate polynomials with coefficients from a finite field F. For practical reasons, the Galois field GF(256) may be used as the field F although it can be any Galois field. To encrypt a message block, which is a vector xεF^(n) for some fixed positive integer n, the public polynomials are evaluated at x. Since there are efficient algorithms for polynomial evaluation, the encryption algorithm in the disclosed scheme is very efficient. The cipher text is a vector yεF^(n+r). where r is a fixed positive integer. The decryption algorithm involves matrix multiplication and polynomial evaluation that can be efficiently performed. Hence, the decryption is also very efficient in the PAC. The typical choices of n and r are 32 and 10, respectively.

PU matrices are a subclass of invertible matrix polynomials whose inverses are guaranteed to exist by their definition. Because of their useful properties, PU matrices have found many applications in signal processing, filter banks, wavelets, and error-control coding. In fact, in earlier works, PU matrices are shown to be promising building blocks to construct wavelet-based symmetric ciphers. It has been shown that every univariate PU matrix over a field of characteristic two can be constructed by multiplying a small number of parameterized PU building blocks. Since there are algorithms to efficiently generate the univariate building blocks, the key-setup time in the PAC is shorter than that in RSA and ECC. Considering the efficiency of the key setup, the encryption, and the decryption in the PAC, its main application is in constrained environments where the computational power is limited.

There exist a limited number of fully-parameterized building blocks, which are PU matrices themselves, that may be used to generate multivariate PU matrices. To generate an arbitrary PU matrix, one simply multiplies these building blocks in an arbitrary order. In the PAC, the parameters of these building blocks are determined based on the secret key.

In the system, the secret key provided by the user is a vector kεF^(n). A key-expansion algorithm is employed to expand the secret key into a finite set of vectors of the same length n. These vectors are employed as the design parameters for the paraunitary building blocks required to construct the PU matrix. In addition, they serve as the design parameters for other matrices and vectors involved in the design of the PAC.

To study the computational security of the PAC, it is argued that its public polynomials are indistinguishable from an arbitrary set of multivariate polynomials. For this purpose, a connection is established between an arbitrary system of multivariate polynomials and PU matrices. It is shown that the problem of expressing every set of multivariate polynomials in the form of the public polynomials in the PAC is equivalent to the PU completion problem that has strong ties with the Quillen-Suslin theorem. The PU completion problem is a well-known mathematical conjecture that is proved to be true in many cases. However, the validity of its general form is an open problem. Although this does not provide a solid proof for the security of the scheme, it is noted that no public-key cryptosystem including RSA and ECC have ever been proved to be secure. As a matter of fact, the existence of OWFs has not been formally proved.

Disclosed is a practical instance of the PAC by providing specifications for the general description of the system. By comparing the complexities of the key setup, the encryption, and the decryption in the PAC and the HFE, it is shown that the former has comparable level of complexity. A complete cryptanalysis of the PAC is discussed which shows that none of the attacks applicable to the HFE presents a security threat to the PAC.

The notation used herein is discussed below. Previous designs by algebraic techniques are briefly reviewed. Unitary and paraunitary matrices are reviewed. The relationship between general systems of multivariate polynomial equations and PU matrices is established. In addition, the public-key generation, encryption, and decryption algorithms of PAC are described. The computational security of the disclosed scheme is discussed in a mathematical language. A practical instance of the general design is introduced and cryptanalyzed.

Notation

Boldfaced lowercase letters are used for vectors. Matrices are denoted by boldfaced uppercase letters. The symbol N is used for the set of natural numbers, and [n]={xεN:1≦x≦n}. The set of all integers is denoted by Z. The Galois field GF(2^(m)), for mεN, is denoted by F since m is fixed. The set of all permutations on n elements is denoted by S_(n). If x=(x₁, . . . , x_(n)) and α=(α₁, . . . , α_(n)), then the shorthand notation x^(α) is used to denote x₁ ^(α) ¹ , K, x_(n) ^(α) ^(n) . Assuming R is a field or a ring, the vector space or the module of column vectors of length n with entries from R is denoted by R^(n). The ring of n×k matrices with entries from R is represented by M_(n,k)(R). In the case n=k, the notation M_(n)(R) is used. The terms vector polynomial and matrix polynomial are used for polynomials whose coefficients are vectors or matrices, respectively. These terms are interchangeably used with the polynomial vector and polynomial matrix that refer to vectors and matrices whose entries are polynomials. One can easily show that these terminologies address the same concept, but from different viewpoints.

In order to facilitate future references, frequently used notations are listed below with their meanings.

[n] {xεN:1≦x≦n};

F Galois field of characteristic two;

S_(n) set of al permutations on n elements;

x (x₁, . . . , x_(n));

α (α₀, . . . , α_(n));

x^(α) x₁ ^(α) ¹ , . . . , x_(n) ^(α) ^(n) ;

M_(n,k)(R) ring of n×k matrices with entries from the ring R;

F[x^(±1)] ring of Laurent polynomials F[x₁ ⁻¹, . . . , x_(n) ⁻¹];

{tilde over (P)}(x₁, . . . , x_(n)) para-Hermitian conjugate P^(T)(x₁ ⁻¹, . . . , x_(n) ⁻¹) of the polynomial matrix P;

U_(n)(F) set of all n×n unitary matrices over the finite field F;

U_(v,ξ) unitary building block defined by equation (1);

PU_(n)(R) set of all n×n paraunitary matrices over the ring R;

B₁(x; v) degree-one paraunitary building block defined by equation (3);

B₂(x; u, v) degree-two paraunitary building block defined by equation (4).

Unitary and Paraunitary Matrices

A matrix AεM_(n)(F) is called unitary if A^(T)A=I. The set of all n×n unitary matrices over the field F is denoted by U_(n)(F). As an example, consider the matrix

U _(v,ζ) =I+ζvv ^(T),

where ζεF and vεF^(n) such that v is self orthogonal, i.e., v^(T)v=0. Since F is a finite field, nonzero self-orthogonal vectors exist in F^(n). It is easily verified that U_(v,ζ) ^(T)U_(v,ζ)=I. In fact, it was proved by Fekri et al. in “Theory of Paraunitary Filter Banks over Fields of Characteristic Two,” in IEEE Trans. Inform. Theory, vol. 48, No. 11, November 2002, pp. 2964-2979 that U_(v,ζ) is the generating building block for all unitary matrices.

The natural generalization of unitary matrices is paraunitary matrices whose entries are polynomials. Before discussing paraunitary matrices, define the sesquilinear form

,

:R^(n)×R^(n)→R^(n) as follows. For f=[f₁, . . . , f_(n)]^(T)εR^(n) and g=[g₁, . . . , g_(n)]^(T)εR^(n), define

${\langle{f,g}\rangle} = {{\overset{\sim}{f}g} = {\sum\limits_{i = 1}^{n}{f_{i}{g_{i}.}}}}$

A set of vectors {f₁, . . . , f_(n)} is called orthonormal if

f₁, f_(j)

=δ_(ij) for all i,jε[N], where δ_(ij) is the Kronecker delta. Based on this definition, the set of column vectors of a paraunitary matrix in PU_(n)(R) is an orthonormal basis for the module R^(n). A matrix polynomial P(x)εM_(n)(R) is called paraunitary if and only if {tilde over (P)}P=I{tilde over (P)}(x)P(x)=I or in other words,

P ^(T)(x ₁ ⁻¹ , . . . , x _(n) ⁻¹)P(x ₁ , . . . , x _(n))=I  (2)

for all x₁, . . . , x_(n)εF\{0}. The set of all n×n paraunitary matrices over the ring R is denoted by PU_(n)(R).

A PU matrix over F[x⁻¹] can be interpreted as the transfer function of a linear time-invariant system. In that context, the degree of a paraunitary matrix in every variable is the minimum number of delay elements in the corresponding variable with which the system can be implemented. There are building blocks for univariate PU matrices over F[x]. It was proved by Fekri et al. in “Theory of Paraunitary Filter Banks over Fields of Characteristic Two,” in IEEE Trans. Inform. Theory, vol. 48, No. 11, November 2002, pp. 2964-2979 that the elementary building blocks are:

(1) degree-one paraunitary building block

B _(I)(x;v)=I+vv ^(T) +vv ^(T) x  (3)

where vεF^(n) is a design parameter such that ., v^(T)v=1;

(2) degree-two paraunitary building block

B ₂(x;u,v)=I+uv ^(T) +vu ^(T)+(uv ^(T) +vu ^(T))x  (4)

where u, vεF^(n) are design parameters such that u^(T)u=v^(T)v=0 and u^(T)v=1;

(3) degree-πτ paraunitary building block

R _(nτ)(x;Λ,V)=VΛV ^(T) +Ix ^(τ) +VΛV ^(T) x ^(2τ)  (5)

In equation (5), τεN and V=[v₁ . . . v_(n)]εM_(n)(F), where v_(i)εF^(n) such that v_(i) ^(T)v_(j)=0 for all i, jε[n]. Moreover, Λ=diag(λ₁, . . . , λ_(n))εM_(n)(F) is a diagonal matrix. Note that τ, V, and Λ are the design parameters of the degree-nτ building block.

It is easily verified that the matrices defined in equations (3)-(5) are all paraunitary. Finding generating building blocks for general multivariate paraunitary matrices is an open problem. Some of these matrices may be captured by multiplying univariate building blocks in different variables. Since these building blocks do not commute, the resulting multivariate paraunitary matrix is not separable.

Below, the structure of the PAC is described and showed how PU matrices can be efficiently used to generate nonlinear equations.

Paraunitary Asymmetric Cryptosystem

The goal in multivariate cryptography is designing a one-way function (OWF) using a system of multivariate polynomial equations. Solving such systems of equations, in general, is an NP-hard problem since all the known algorithms have computational complexity exponential with respect to the number of variables. The OWF is used to design public-key cryptosystems and digital signature schemes. The main challenge is how to include a trapdoor in the OWF without using polynomials of very special form because such polynomials usually weaken the security of the OWF. Consider arbitrary multivariate polynomials f₁(x), . . . , f_(n)(x)εF[x] where x=(x₁, . . . , x_(n)). They can be considered as the entries of a vector f=[f₁, . . . , f_(n)]^(T)εR_(n), where R=F[x^(±1)].

As discussed above, the columns p₁, . . . , p_(n) of an arbitrary paraunitary matrix PεPU_(n)(R) form an orthonormal basis for R^(n). Hence, there exist polynomials t₁, . . . , t_(n)εR such that

$\begin{matrix} {{f = {\sum\limits_{i = 1}^{n}{t_{i}P_{i}}}}{or}} & (6) \\ {{f(x)} = {{P(x)}{t(x)}}} & (7) \end{matrix}$

where t=[t₁, . . . , t_(n)]^(T). Since this equation holds for every paraunitary matrix, there is no unique t associated with a given f.

In the above, it was shown that given a vector f and a paraunitary matrix P, one can find a vector t such that equation (7) holds. In the design of the OWF ψ, equation (7) is used, but instead of finding t for given f and P, a secret automorphism is chosen (i.e., bijective vector polynomial) t and a PU matrix P, then the public vector-polynomial f=Pt is obtained.

There is no general algorithm to generate all automorphisms over the vector space F^(n). However, it is possible to generate some of them by composing tame automorphisms. An automorphism t=[t₁, . . . , t_(n)]^(T) of the form

t _(i)(x)=α_(i) x _(σ(i)) , . . . , x _(σ(i−1))),∀iε[n]  (8)

is tame where σεS_(n), α_(i)εF\{0}, and g_(i)εF[x_(σ(1)), . . . , x_(σ(i−1))] for all iε[n]. A tame automorphism can be efficiently inverted. To compute t⁻¹(y) for y=(y₁, . . . , y_(n))εF^(n), the following formula is recursively used.

x _(σ(i))=α_(i) ⁻¹ +g _(i)(y _(i) +g _(i)(x _(σ(i)) , . . . , x _(σ(i−1)))),iε[n]

To encrypt a message, the public polynomials f₁, . . . , f_(n) are evaluated at the message block. However, to decrypt the ciphertext block by inverting ψ, the value of P(x) at the message x is required. This implies the knowledge about x.

To solve this problem, an r-variate, rε[n], paraunitary matrix PεPU_(n)(F[z]) may be used, where z=(z₁, . . . , z_(r)), and compose it with the vector polynomial φε(F[z])^(r). To decrypt the ciphertext, only the value of ö(x) is required.

By the definition of PU matrices in equation (2), P(z₁, . . . , z_(r)) is singular whenever z_(i)=0 for some iε[r]. Thus, none of the entries of the vector polynomial φ(x) must have a root in F^(n). The polynomial φ(x) is appended to the vector polynomial

{circumflex over (ψ)}(x)=(P∘φ)(x)t(x)  (10)

to form the new vector polynomial

$\begin{matrix} {{\overset{˘}{\psi}(x)} = {\begin{bmatrix} {\left( {P \cdot \phi} \right)(x){t(x)}} \\ {\phi (x)} \end{bmatrix}.}} & (11) \end{matrix}$

To mix the equations, the secret affine transformation v({hacek over (ψ)})=A{hacek over (ψ)}+b is used, where AεU_(n+r)(F) is a unitary matrix and bεF^(n+r) is an arbitrary vector. A unitary matrix is used since: 1) it can be easily and efficiently generated using the unitary building block, 2) by its construction, it is guaranteed to be invertible, and 3) its inverse can be easily obtained with no computation. In a single formula, the paraunitary trapdoor OWF ψ is as follows.

$\begin{matrix} \begin{matrix} {\psi \text{:}} & R^{n} & -> & R^{n + r} \\ \; & x & -> & {y = {{A\begin{bmatrix} {\left( {P \cdot \phi} \right)(x){t(x)}} \\ {\phi (x)} \end{bmatrix}} + b}} \end{matrix} & (12) \end{matrix}$

This is an OWF since evaluating ψ(x) for a given x is easy, but inverting this function seems to be hard. In fact, there does not seem to exist an algorithm to solve the equation ψ(x)=c, for given cεF^(n+r), more efficient than the general methods for solving systems of multivariate polynomial equations. The trapdoor information consist of the paraunitary matrix P, the unitary matrix A, the vector b, the automorphism t, and the multivariate polynomial ö. Hence, ψ is a trapdoor OWF.

The composite matrix polynomial (P∘φ)(x) in equation (12) approximates the PU matrix P(x) in equation (7). This approximation is in the sense that the entries of the PU matrix P(x) in equation (7) are taken from the ring F[x] while those of (P∘φ)(x) in equation (7) belong to the ring F[φ(x)]. These two rings are both extensions of the finite field F, and their relationship is expressed by

F⊂F[φ(x)]⊂ F[x].  (13)

The transcendence degree of the extension ring F[φ(x)], that is an integer between 0 and n, determines whether this ring is close to F or to F[x]. The transcendence degree of an extension ring generalizes the notion of the dimension of a vector space. Let d be the transcendence degree of F[φ(x)]. If d=0, then F[φ(x)]≅F, and if d=n, F[φ(x)]≅F[x]. In general, φ(x) is a mapping from F^(n) to F^(r); thus, it cannot be a bijection if r<n. However, the extension ring F[φ(x)] obtains its highest transcendence degree when φ(x) is “close to a bijection”. This term implies that the pre-images of elements of F^(r) under the mapping φ are subsets of F^(n) that all have the same number of elements. Mathematically, this means that the cardinality of the set φ⁻¹(z)={xεF^(n):φ(x)=z} is independent of the value of z.

If φ=[φ₁, . . . , φ_(r)]^(T), then the following composition is suggested

φ_(i)=γ∘ρ_(i) ∀iε[r].  (14)

Here, ρ=[ρ₁, . . . , ρ_(n)]^(T)ε(F[x])^(r) is close to a bijection. The vector polynomial

ρ_(i)=α_(i) x _(σ(r−i+1)) +g _(i) x _(σ(r−i+2)) , . . . , x _(σ(n)) ,∀[r]  (15)

may be used where σεS_(n), and α_(i)εF\{0}, and g_(i)=F[x_(σ(r−i+2)), . . . , x_(σ(n))] for all iε[r]. To invert ρ in equation (15), the values of x_(σ(r−i+2)), . . . , x_(σ(n)) can be arbitrarily chosen and then the values of x_(σ(r−i+2)), . . . , x_(σ(r)) are obtained from a recursive equation similar to equation (9). Hence, |ρ⁻¹(z)|=|F|^(n−r) for any zεF^(r) is “close” to a bijection.

As explained before, none of the entries of the vector polynomial φ must have a root in F^(n). The irreducible polynomial γεF[x] in equation (14) is used to guarantee that this does not happen. It is suggested that the polynomial

γ(x)=x ² +x+ω, ωεF  (16)

be used, and which is irreducible whenever

${{Tr}(\omega)} = {{\sum\limits_{k = 0}^{m - 1}\omega^{2^{k}}} \neq 0}$

assuming F=GF(2^(m)). Since γ is not an automorphism, φ is not as close to a bijection as ρ is. However, γ is a 2-1 mapping since γ(x+1)=γ(x) for every xεF. Hence, the vector polynomial φ is not significantly deviated from a bijection.

Before using the key-generation algorithm, an algorithm is required to expand the master key provided by the user. Algorithm 1 is employed for this purpose.

Algorithm 1: Key expansion INPUT: The master key k = [k₁, ..., k_(n)]^(T) ∈ F^(n) OUTPUT: The parameter set K = { k₁, ..., k_(k) }⊂ F^(n) 1. for i = 1 to n do k_(i1) ← k_(i) 2. k₁ = [k₁₁, ..., k_(n1)]^(T) 3. for j = 2 to κ do 4. k_(1j) ← k_(1,j−1) ⊕ k_(1,j−1) ⁻¹ ⊕ c_(j−1) 5. for i = 2 to n do k_(i,j) ← k_(i,j−1) ⊕ k_(i−1,j) ⁻¹ 6. k_(j) = [k_(1j), ..., k_(nj)]^(T) 7. end

This algorithm specifies how the vectors required in the key-generation algorithm are derived from the master key k. The vectors in the set K, the output of the key-expansion algorithm, are used to generate the elementary paraunitary building blocks, the vector polynomial φ, the automorphism t, the unitary building blocks, and the vector b. The structure of the key-expansion algorithm is very similar to that of the block cipher AES discussed by Daemen, et al., in The Design of Rijndael” AES—The Advanced Encryption Standard. Berlin, Germany: Springer-Verlag, 2002. The design criteria, similarly, is having nonlinear relations between each output vector and the master key such that taking advantage of these relations in an attack is infeasible. In Algorithm 1, κ is chosen such that there are enough vectors in K, the binary operation ⊕ is the bitwise exclusive-OR, and c₁, . . . , c_(κ−1) are public constants.

It is possible to replace the key-expansion algorithm with a pseudo-random number generator. For present purposes, a fast pseudo-random number generator such as the shrinking or self-shrinking generator is adequate. The shrinking generator consists of two LFSRs that one clocks the other. The idea is to generate a third source of pseudo-random bits that has better “quality” than the original sources. (Here, quality refers to the difficulty of predicting the pseudo-random sequence.) Let a₀, a₁, . . . and s₀, s₁, . . . be the outputs of the two LFSRs. The shrinking generator constructs a third sequence z₀, z₁, . . . that includes those bits a₁ for which the corresponding s_(i) is “1”. There are also more complicated pseudo-random number generators based on one-way functions.

Algorithm 2 is used to generate the public and secret keys used in ψ.

Algorithm 2: Key generation  INPUT: Master key k ∈ F^(n)  PUBLIC OUTPUT: Public polynomial vector Ψ ∈ (F[X])^(n+r)  SECRET OUTPUT: P : an r-variate paraunitary matrix in PU_(n)(F[z]), φ : a vector polynomial in (F[X])^(r), t : an automorphism over F^(n), A : a unitary matrix in U_(n+r)(F), b : a constant vector in F_(n+r).

1. Using Algorithm 1, expand the master key k in order to generate the set K consisting of K vectors each of length n. The vectors in this set are used as the design parameters in every step of this algorithm.

2. Generate an r-variate PU matrix PεPU_(n)(F[z]) by multiplying arbitrarily chosen elementary building blocks given in equations (3)-(5). Note that each of these building blocks requires a number of parameters. Use the vectors in the expansion set K as the design parameters.

3. Choose a vector polynomial φε(F[x])^(r) that is close to be a bijection (in the sense explained before) and none of its entries, as a polynomial in F[x], has a root in F^(n). Use the vectors in K as the design parameters.

4. Choose an automorphism t: F^(n)→F^(n) whose coefficients are obtained from K.

5. Construct the vector polynomials {circumflex over (ψ)} and {hacek over (ψ)} as in equations (10) and (11), respectively.

6. Generate a unitary matrix AεU_(n+r)(F) by multiplying the elementary building blocks given in equation (1) with different design parameters. In addition, choose a vector bεF^(n+r) using the vectors in K.

7. Construct the vector polynomial ψ(x) as in equation (12).

Using the introduced ψ, the public-key PAC is implemented using Algorithms 3 and 4 below. These algorithms are used to encrypt and decrypt in the PAC.

Algorithm 3: Encryption INPUT: Plaintext block x ∈ F^(n) OUTPUT: Ciphertext block y ∈ F^(n+r) 1. Evaluate the public vector-polynomial Ψ (x) at x. Algorithm 4: Decryption INPUT: Ciphertext block y ∈ F^(n+r) OUTPUT: Plaintext block x ∈ F^(n) 1. {circumflex over (v)} ← A^(T)(y + b)∈ F^(n+r) 2. v ← [v₁, ..., v_(n)]^(T) where {circumflex over (v)} = [v₁, ..., v_(n), z₁, ..., z_(r)]^(T) 3. x ← t⁻¹(P^(T)(z₁ ⁻¹, ..., z_(r) ⁻¹)v)

The PAC operates on any finite field GF(2^(m)) with m≧2. The reason it should not be used over GF(2) is that since none of the entries of the vector polynomial φ, must take the value zero, the only possible choice is φ(x)≡1. With this choice, the paraunitary matrix P becomes a constant matrix independent of the values of x. Hence, the PAC becomes a constant matrix multiplied by a vector polynomial that is an automorphism. Instances of such schemes were proposed by A. Shamir, et al. in “Efficient signature schemes based on birational permutations,” Adv. Crypto.—CRYPTO'93, 1994, vol. 773, Lecture Notes in Computer Science, pp. 1-12 and broken by D. Coppersmith, et al. in “Attacks on the birational permutation signature schemes,” Adv. Crypto.—CRYPTO'93, 1994, vol. 773, Lecture Notes in Computer Science, pp. 435-443. GF(256) may be used to enhance the implementation of the scheme.

The length of the ciphertext in the paraunitary asymmetric cryptosystem is n+r. By increasing r, the length of the ciphertext increases, but as explained before, the general formula in equation (7) is approximated better since the transcendence degree of F[φ(x)] increases.

In the following, it is shown how to construct a probabilistic scheme using the paraunitary asymmetric cryptosystem.

Probabilistic PAC

The PAC is a deterministic scheme, i.e., the mapping from the plaintext space to the ciphertext space is deterministic. In other words, given the plaintext, the corresponding ciphertext is always the same. This determinism might cause some leakage of partial information to the adversary. For example, the RSA function preserves the Jacobi symbol of the plaintext, and with the discrete-log function, it is easy to compute the least significant bit of the plaintext from the ciphertext by a simple Legendre symbol calculation. In order to prevent the leakage of partial information, the notion of semantic security was proposed by S. Goldwasser, et al., in “Probabilistic encryption,” J. Comput. System. Sci., vol. 28, no. 2, pp. 270-299, 1984. Informally, a public-key cryptosystem is semantically secure if, for all probability distributions over the message space, whatever a passive adversary can compute in expected polynomial time about the given ciphertext, it can compute in expected polynomial time without the ciphertext. Semantic security is the reminiscent of Shannon's perfect secrecy in which the adversary is given unbounded computational power. Although theoretically attractive, perfect secrecy is not achievable unless the key is as long as the message. This requirement hinders the practical usefulness of perfect secrecy. By contrast, semantic security can be viewed as the polynomially-bounded version of perfect secrecy in which the adversary is given limited computational power.

In a semantically secure cryptosystem, the mapping from the plaintext to the ciphertext is probabilistic. Hence, different encryptions give different ciphertexts corresponding to a single plaintext. An efficient probabilistic public-key cryptosystem based on the RSA one-way function was discussed by M. Blum, et al. in “An efficient probabilistic public key encryption scheme which hides all partial information,” Adv. Cryptol.—CRYPTO'84, 1984, vol. 196, Lecture Notes in Computer Science, pp. 289-302. In general, there are standard methods to construct probabilistic schemes based on deterministic one-way functions. In the following, the method proposed by M. Bellare et al. in “Random oracles are practical: A paradigm for designing efficient protocols,” Proc. ACM Conf. Comput. Commun. Security—CCS'93, New York, 1993, pp. 62-73 to achieve semantic security is briefly explained. This method is based on the random oracle model.

Let G:F^(n)→F^(2n+r) be a random generator that is public to everybody and ψ be an OWF such as the one in equation (12). Consider the following probabilistic encryption function.

E^(G):F^(n)→F^(2n+r)

x→ψ(u)∥(G(u)+x)  (17)

Here, uεF^(n) is a randomly chosen vector and ∥ denotes the concatenation of two vectors. The encryption function E^(G) is semantically secure. Note that the data expansion factor of 2n+r is unavoidable. The adversary, without the trapdoor information, is unable to calculate u and hence x although G is public.

Computational Security of the Paraunitary Asymmetric Cryptosystem

The computational security of the paraunitary asymmetric cryptosystem is evaluated by providing evidences that relate the difficulty of inverting the OWF in paraunitary asymmetric cryptosystem to a known computationally hard problem. The computational security measures the amount of computational effort required, by the best currently-known methods, to defeat a system. In general, it is very difficult to prove the security of public-key cryptosystems. For example, it is known that if the public modulus in RSA is factored into its prime factors, then RSA can be broken. However, it is not proved that breaking RSA is equivalent to factoring the public modulus. By providing some theorems and conjectures, it is established that the connection between the hardness of inverting the OWF ψ in the PAC and the difficulty of solving a general system of multivariate polynomial equations.

The paraunitary asymmetric cryptosystem is based on the formula

f(x)=P(x)t(x)  (18)

where fεR^(n) is an arbitrary polynomial vector, PεPU_(n)(R), and tεR^(n) is an automorphism over F^(n). As explained previously, given an arbitrary polynomial vector f, the relation in equation (18) is valid when the condition on t is relaxed. The security of the scheme reduces to the difficulty of solving general systems of multivariate polynomial equations if the following conjecture is proved.

Conjecture 1: Given an arbitrary polynomial vector fεR^(n), there always exists a matrix PεPU_(n)(R) and an automorphism tεR^(n) such that equation (18) holds.

This conjecture implies that an arbitrary system of multivariate polynomials can always be represented in the form of equation (18). Hence, if this conjecture is true, the public polynomials of PAC are indistinguishable from an arbitrary system of multivariate polynomials.

The group PU_(n)(R) acts on the module R^(n) by matrix multiplication. Notice that paraunitary matrices preserve the norm, i.e., if PεPU_(n)(R) and f, tεR^(n) such that f=Pt, then {tilde over (f)}f={tilde over (t)}t. Hence, PU_(n)(R) acts on the set V_(n) ^(α)(R)={fεR^(n):{tilde over (f)}f={tilde over (α)}α] for every αεR. This group action is transitive if for every two arbitrary f, tεV_(n) ^(α)(R), there exists a matrix PεPU_(n)(R) such that f=Pt. Conjecture 1 is a weaker statement than the transitivity of the action of PU_(n)(R) on V_(n) ^(α)(R) because, for the purpose of the PAC, t is always an automorphism. Hence, the following conjecture, if proved, suffices to prove the Conjecture 1.

Conjecture 2: The group PU_(n)(R) acts transitively on the set V_(n) ^(α)(R).

This conjecture has strong ties with the PU completion problem. This problem is as follows.

Problem 1 (The PU Completion Problem)

Given the vector tεR^(n) such that {tilde over (f)}f={tilde over (α)}α where αεR, does there exist a matrix PεPU_(n)(R) such that f is the first column of αP?

The following lemma gives the relationship between the Conjecture 2 and the PU completion problem.

Lemma 1: The group PU_(n)(R) acts transitively on V_(n) ^(α)(R) for every αεR, if and only if the PU completion problem has a positive answer.

Proof:

Let fεR^(n) such that {tilde over (f)}f={tilde over (α)}α and e=[1, 0, . . . , 0]^(T)εR^(n). Since PU_(n)(R) acts transitively on V_(n) ^(α)(R), there exists a matrix PεPU_(n)(R) such that f=Pαe. The first column of αP is f and αP is the PU completion of f.

Let f, gεV_(n) ^(α)(R) be arbitrary polynomial vectors and e be a vector defined as the first part of the proof.

Since every paraunitary polynomial vector has a paraunitary completion, there are paraunitary matrices P, QεPU_(n)(R) such that f=αPe and g=αQe. This implies f=PQg. Thus, PU_(n)(R) acts transitively on V_(n) ^(α)(R).

The paraunitary completion problem has a positive answer if the class of generalized-unitary matrices, denoted by GU_(n)(R), is considered instead of the class of paraunitary matrices.

Theorem 3 (Quillen-Suslin): Every generalized-unitary polynomial-vector fεR^(n) has a completion in GU_(n)(R).

The matrix PεM_(n,k)(R) is called generalized unitary if there exists a matrix QεM_(n,k)(R) such that {tilde over (Q)}P=I. The set of n×n generalized unitary matrices is denoted by GU_(n)(R). Note that PU_(n)(R)⊂GU_(n)(R). The paraunitary completion problem has a positive answer for the case n=2, but for n>2, it is still an open problem. This problem also has a positive answer for arbitrary n when R=C└x^(±1)┘ where

is the field of complex numbers.

Below, a practical instance of the PAC is provided by choosing the parameters in its general description.

A Practical Instance of the PAC

There are numerous ways to design paraunitary asymmetric cryptosystem depending on the choices of the parameters in Algorithm 2 that is used to generate the key. A good design is the one that meets the following criteria:

1. The public polynomials, entries of ψ, must look random; they should not have any special structure. Solving the system of public polynomials for the plaintext must be computationally infeasible.

2. It is desirable to have sparse public polynomials to keep down the complexity of the encryption. The number of terms of the vector polynomial φ has the most influence in the number of terms of the public polynomials. Therefore, φ should have a few terms.

3. The evaluation of the automorphism t and its inverse must be efficient.

An instance of the PAC is presented in this section by providing specifications for the general description of the system in Algorithm 2.

The resulting scheme is intended to meet the design criteria. Choose F=GF(256) because of implementation considerations. In addition, choose 16≦32 for the block length that corresponds to 128 to 256 bits. However, the scheme is flexible and the order of the field F and value of n can be different without affecting the structure. The secret key consists of n symbols from F. r is fixed because its value exponentially affects the number of monomials of the PU matrix P. Considering the range of n, it is suggested that r=10 for reasons that will become clear later in the paper. For this choice of r, the size of the ciphertext block varies between 208 and 264 bits.

A. Constructing the Vector Polynomial ψ

For the PU matrix P, only B₁ and B₂ building blocks defined in equations (3) and (4) are used because the number of their parameters is less than those of R_(nτ) defined in equation (5). Moreover, they can be generated with less complexity. To generate the PU matrix PεPU_(n)(F[z]), where z=[z₁, . . . , z_(r)]^(T), N univariate building blocks are designed in each variable. The parameter N is independent of n, and its typical value is 2. Let C_((i−1)N+1)(z_(i)), . . . , C_(iN)(z_(i)) be the PU building blocks in the variable z_(i) for all iε[r]. Then, the paraunitary matrix P(z) is obtained as follows

$\begin{matrix} {{{P(z)} = {\prod\limits_{i = 1}^{rN}{C_{\sigma {(i)}}\left( z_{\lceil{{\sigma {(i)}}/N}\rceil} \right)}}},} & (19) \end{matrix}$

where σεS_(rN) is a public permutation and ┌•┐ is the ceiling function. Note that since these building blocks do not commute, the order of terms in the above multiplication is important.

The special structure of the B₁ and B₂ building blocks makes the multiplication of the C_(i) matrices less complex than multiplying arbitrary matrices. By induction, it can be easily shown that these building blocks and their multiplications have the following form

$\begin{matrix} {{C(z)} = {I + {\sum\limits_{á \in A}{\sum\limits_{j \in J}{u_{á\; j}v_{á\; j}^{T}z^{á}}}}}} & (20) \end{matrix}$

where u_(αj), v_(αa)εF^(n), A⊂

₀ and J⊂N such that A and J are finite sets. Note that the matrix C is completely determined if the sets A and J along with the following sets of vectors are known.

U(C)={u _(αj) :αεA,jεJ}  (21a)

V(C)={v _(αj) :αεA,jεJ}  (21b)

Hence, if C is one of the intermediate matrices in the process of multiplying the matrices C_(i) in equation (19), instead of multiplying the vectors u_(αj) and v_(αj), the sets U(C) and V(C) are obtained. That is why the generating algorithms for the building blocks B₁ and B₂, as described below, only compute the vector parameters of these building blocks. The advantage of this strategy is reducing the complexity of multiplying matrices. The following fact can be stated about the complexity of multiplying two matrices of this special form.

Fact 1: Let C₁, . . . , C_(L) be matrices each with the form of the special format of equation (20). Then, the complexities of computing U(Π_(i=1) ^(L)C_(i)) and V(Π_(i=1) ^(L)C_(i)) are both upper bounded by

${{{{\bigcup\left( {\prod\limits_{i = 1}^{L}C_{i}} \right)}}\left( {{Ln} + L - 2} \right)} \leq {\left( {\prod\limits_{i = 1}^{L}{{\bigcup\left( C_{i} \right)}}} \right)\left\lbrack {{L\left( {n + 1} \right)} - 2} \right\rbrack}} = {O(n)}$

assuming that L and the cardinalities of all sets are independent of n.

Using this procedure, after carrying out all the multiplications required to compute the PU matrix P in equation (19), the sets U (P) and V (P) are obtained. Having these sets, by Fact 1, the following fact can be stated about the total complexity of generating the matrix P.

Fact 2: The complexities of constructing U (P) and V (P) are both upper bounded by 2^(2rN)[rN(n+1)−2]=O(n²) since r and N are constants. Having U (P) and V (P), the complexity of constructing P(z) is at most |U(P)|n²≦2^(2rN)n²=O(n²). Hence, the total complexity of constructing P(z) is at most 2^(2rN)[n²+rN(n+1)−2]=O(n²).

Every entry of P is a multivariate polynomial in z₁, . . . , z_(r) with the maximum degree of z_(i) being N for all iε[r]. Hence, the following fact can be stated.

Fact 3: Entries of the PU matrix P are r-variate polynomials whose monomials are subsets of a maximal set of monomials. The cardinality of this maximal set is O((N+1)^(r))=O(1) since both N and r are constants.

With r=10 and N=2, the size of the maximal set in Fact 3 is 3¹⁰≈2¹⁶. It is feasible to generate and store a polynomial with this many monomials in practice.

For φ, a structure is used as suggested in equation (14) for the irreducible polynomial γ as in equation (16) (in which the value of ω is public) and the vector polynomial ρ as follows.

$\begin{matrix} {{\rho_{i}(x)} = {{\alpha_{i}x_{r - i + 1}} + {\beta_{i}{\prod\limits_{j = {r - i + 2}}^{n}{x_{j}^{a_{ij}}\mspace{14mu} {\forall{i \in \lbrack r\rbrack}}}}}}} & (22) \end{matrix}$

Here, a_(ij)εN are public exponents and α_(i), β_(i)εF\{0}, for all iε[r], are secret coefficients whose values are obtained from the set K in Algorithm 2. The exponents a_(ij) directly influence the degree of the final public polynomials. As will be explained later, to make sure that some attacks are not applicable on the system, these exponents are chosen proportional to the block length n, i.e.,

a _(ij) =O(n)∀i,j.  (23)

As the result, the total degree of the public polynomials becomes proportional to n. Note that since all the computations are performed in GF(2^(m)), all exponents are modulo 2^(m−1). Hence, if 2≦n, equation (23) will not have the desired effect. The following fact gives the complexity of constructing φ.

Fact 4: The complexity of constructing φ as in equation (14) is O(r)=O(1) since r is constant.

The next step is composing P(z) and φ(x) to get the matrix polynomial (P oö)(x). Let P(z)=[p_(ij)(z)], where

${p_{ij}(z)} = {{\sum\limits_{á \in C}{p_{{ij}\; á}z^{á}}} \in {F\lbrack z\rbrack}}$

and c⊂

_(c0)C⊂Z_(≧0) ^(r) is a finite set such that |C|=O(1) by Fact 3. To construct

${{P\left( {\phi (x)} \right)} = \left\lbrack {\sum\limits_{\alpha \in C}{p_{{ij}\; \alpha}{\phi^{\alpha}(x)}}} \right\rbrack},$

φ^(α)(x) for αεC must be computed.

Since the exponents αεC are independent of n, the complexity of computing (p_(ij)∘φ)(x) is O(|C|). Hence, the total complexity of constructing (P∘φ)(x) is O(|C|n²)=O(n²).

Using Fact 3, the following fact can be stated.

Fact 5: Entries of the matrix (P∘φ)(x) are multivariate polynomials whose monomials are subsets of a maximal set of monomials. The cardinality of the maximal set is independent of n.

Having the matrix polynomial (P∘φ)(x), an automorphism t is required to obtain the public vector-polynomial ψ. It is suggested that the composite automorphism t=t₂∘t₁ where t₁ and t₂ are tame automorphisms over F^(n). If t₁=[t₁₁, . . . , t_(1n)]^(T), then

$\begin{matrix} {{{t_{1i}(x)} = {x_{i} + {\eta_{i}{\prod\limits_{j = 1}^{i - 1}x_{j}^{b_{ij}}}} + {\xi_{i}\mspace{14mu} {\forall{i \in \lbrack n\rbrack}}}}},} & (24) \end{matrix}$

where η₂, . . . , η_(n)εF\{0}, ξ₁, . . . , ξ_(n)εF\{0}, and b_(ij)εN for all iε={2, . . . , n} and jε[i−1].

Similarly, if t₂=[t₂₁, . . . , t_(2n)]^(T), then

$\begin{matrix} {{t_{2i}(x)} = {x_{n - i + 1} + {\mu_{i}{\prod\limits_{j = 2}^{\min {({i,K})}}{x_{n - i + j}^{c_{ij}}\mspace{14mu} {\forall{i \in \lbrack n\rbrack}}}}}}} & (25) \end{matrix}$

where μ₂, . . . , μ_(n)εF\{0}, c_(ij)εN, for iε{2, . . . , n} and jε{2, . . . , min(i,k)},and K is a constant such that K<n (a typical value is K=5).

The coefficients η_(i) and ξ_(i) in equation (25) are kept secret and their values are obtained from the set K in Algorithm 2

The exponents b_(ij) and c_(ij) are public.

To keep the complexity of the encryption low, the restriction b_(ij) and c_(ij)≦B is imposed for all i and j, where B is a fixed integer independent of the block length n. The following important fact is noted.

Fact 6: Each entry of t is a multivariate polynomial that has a constant number of monomials independent of n.

The complexities of evaluating t and t⁻¹ are given in the following facts.

Fact 7: Complexities of evaluating t and t⁻¹ are both O(n²).

The next step in generating the OWF ψ is multiplying (P∘φA)(x) and t(x) to get the vector polynomial {circumflex over (ø)}(x) as in equation (10). By Facts 5 and 6, the complexity of carrying out this multiplication is O(n²). The vector polynomial {circumflex over (ø)}(x) consists of n multivariate polynomials whose number of monomials, given by the following fact, influences the complexity of the encryption.

Fact 8: Entries of {circumflex over (φ)}(x) are polynomials whose monomials are subsets of a maximal set of monomials. The cardinality of the maximal set is O(n).

The final step is generating a unitary matrix A and multiplying it by the vector polynomial

(x) defined in equation (11). As explained above, all unitary matrices are generated by multiplying copies of the building block U_(v,π) defined in equation (1). To reduce the complexity, only one building block is used for A with ζ=1 and v taken from K. The algorithm presented below can be used to generate A with complexity O((n+r)²)=O(n²). Once one has the unitary matrix A, the final step is performing the multiplication A{hacek over (ψ)}. Entries of the matrix A are constants, but those of {hacek over (ψ)} are multivariate polynomials that have O(n) terms by Fact 8. Hence, the complexity of carrying out the multiplication A{hacek over (ψ)} is O(n(n+r)²)=O(n³). The number of monomials of the entries of ψ is given in the following fact.

Fact 9: Entries of ψ are polynomials whose monomials are subsets of a maximal set of monomials. The cardinality of the maximal set is O(n).

All the exponents involved in the construction of ψ are fixed integers except the exponents a_(ij) that are proportional to n. Hence, the following fact can be stated about the total degree of ψ.

Fact 10: The total degree of the public polynomials in ψ is proportional to n. The complexities computed in this subsection are summarized in Table I.

TABLE I Com- plexity Complexity Complexity Complexity P O(n²) P ∘ φ O(n²) {circumflex over (ø)} O(n²)

O(n³) φ O(1) t O(n) A O(n²) O(n³)

A toy example of the paraunitary asymmetric cryptosystem is presented below. It is noted that this is not a practical example of the paraunitary asymmetric cryptosystem, and the resulting public-key system is insecure in practice due to small choices for parameters. The purpose of this example is to show how the system is designed and illustrate the structure of public polynomials.

In the design, the computer algebra software Singular has been used.

The block size is n=3 and r=1.

The operating finite field is GF(256) with the primitive element ε.

Since r=1, the vector polynomial p is a one-dimensional multivariate polynomial. Its coefficients and exponents are choose as follows.

ρ(x)=εx ₁+ε³ x ₁ ²+ε³ x ₂ ⁸ x ₃ ⁶+ε⁶ x ₂ ¹⁶ x ₃ ¹²  (B.1)

For the irreducible polynomial ψ(x) in equation (16), ω=ε⁵ since Tr(ε⁵)≠0. These choices give the following irreducible multivariate polynomial for the vector polynomial φ(x) in equation (14).

φ(x)=ε⁵ +εx ₁ +ε ³ x ₁ ²+ε³ x ₂ ⁸ x ₃ ⁶+ε⁶ x ₂ ¹⁶ x ₃ ¹².  (B.2)

In the example, the PU matrix P consists of only one degree-one building block as in equation (3) with the vector v=[e e⁵ e⁴⁷]^(T). For the unitary matrix A, the building block U_(v,ξ) in equation (1) is used with ζ=1 and v=[1 e e⁵ e² e³³]^(T). The constant vector b is chosen to be b=[e3 e² 1 e⁶ e¹⁷]^(T).

As stated in Fact 9, the entries of the OWF ψ are polynomials whose monomials are subsets of a maximal set of monomials. Hence, one of the public polynomials is given. The rest of them have similar structures.

If φ(x)=[φ₁(x) φ₃(x) φ₃(x) φ₄(x)]^(T), then the polynomial φ₁(x) is as follows.

$\begin{matrix} {{\phi_{1}(x)} = \begin{matrix} {ɛ^{33} + {ɛ^{233}x_{1}} + {ɛ^{67}x_{2}} + {ɛ^{75}x_{3}} + {ɛ^{159}x_{4}}} \\ {{ɛ^{149}x_{1}x_{2}} + {ɛ^{39}x_{2}^{2}} + {ɛ^{87}x_{1}x_{3}} + {ɛ^{78}x_{2}^{3}} + {ɛ^{209}x_{1}^{2}x_{2}^{2}}} \\ {{ɛ^{114}x_{1}^{3}} + {ɛ^{150}x_{1}^{2}x_{2}} + {ɛ^{208}x_{1}x_{2}^{2}} + {ɛ^{88}x_{1}^{2}x_{3}}} \\ {{ɛ^{25}x_{2}^{3}x_{3}} + {ɛ^{160}x_{1}x_{2}^{3}} + {ɛ^{153}x_{1}^{4}} + {ɛ^{194}x_{2}^{3}} + {ɛ^{209}x_{1}x_{2}^{2}x_{3}}} \\ {{ɛ^{161}x_{1}^{3}x_{3}^{2}} + {ɛ^{154}x_{1}^{5}} + {ɛ^{195}x_{1}^{2}x_{2}^{2}x_{3}} + {ɛ^{47}x_{1}^{6}} + {ɛ^{216}x_{1}^{7}}} \\ {{ɛ^{33}x_{1}^{6}x_{3}} + {ɛ^{217}x_{1}^{8}} + {ɛ^{202}x_{1}^{7}x_{3}} + {ɛ^{203}x_{1}^{8}x_{3}}} \\ {{ɛ^{75}x_{1}^{5}x_{2}^{6}} + {ɛ^{87}x_{1}^{6}x_{2}^{6}} + {ɛ^{88}x_{1}^{7}x_{2}^{6}} + {ɛ^{25}x_{1}^{5}x_{2}^{8}}} \\ {{ɛ^{194}x_{1}^{6}x_{2}^{8}} + {ɛ^{195}x_{2}^{8}x_{3}^{6}} + {ɛ^{1995}x_{1}^{7}x_{2}^{8}} + {ɛ^{193}x_{1}x_{2}^{8}x_{3}^{6}}} \\ {{ɛ^{151}x_{2}^{9}x_{3}^{6}} + {ɛ^{89}x_{2}^{8}x_{3}^{7}} + {ɛ^{210}x_{2}^{10}x_{3}^{7}} + {ɛ^{162}x_{1}x_{2}^{8}x_{3}^{8}}} \\ {{ɛ^{33}x_{1}^{11}x_{2}^{6}} + {ɛ^{155}x_{2}^{3}x_{2}^{8}x_{3}^{6}} + {ɛ^{196}x_{2}^{10}x_{3}^{7}} + {ɛ^{202}x_{1}^{12}x_{2}^{6}}} \\ {{ɛ^{203}x_{1}^{13}x_{2}^{6}} + {ɛ^{218}x_{1}^{6}x_{2}^{8}x_{3}^{6}} + {ɛ^{204}x_{1}^{6}x_{2}^{8}x_{3}^{7}} + {ɛ^{78}x_{1}^{10}x_{2}^{12}}} \\ {{ɛ^{160}x_{1}^{11}x_{2}^{12}} + {ɛ^{161}x_{1}^{12}x_{2}^{12}} + {ɛ^{89}x_{1}^{5}x_{2}^{14}x_{3}^{6}}} \\ {{ɛ^{196}x_{1}^{5}x_{2}^{16}x_{3}^{6}} + {ɛ^{198}x_{2}^{16}x_{3}^{12}} + {ɛ^{163}x_{1}x_{2}^{16}x_{3}^{12}}} \\ {{ɛ^{154}x_{2}^{17}x_{3}^{12}} + {ɛ^{92}x_{2}^{16}x_{3}^{13}} + {ɛ^{213}x_{2}^{18}x_{3}^{12}} + {ɛ^{165}x_{2}^{16}x_{3}^{14}}} \\ {{ɛ^{204}x_{1}^{11}x_{2}^{14}x_{3}^{6}} + {ɛ^{158}x_{1}^{3}x_{2}^{16}x_{3}^{12}} + {ɛ^{199}x_{2}^{18}x_{3}^{13}}} \\ {{ɛ^{221}x_{1}^{6}x_{2}^{16}x_{3}^{12}} + {ɛ^{207}x_{1}^{6}x_{2}^{16}x_{3}^{13}} + {ɛ^{162}x_{1}^{11}x_{2}^{20}x_{3}^{6}}} \\ {{ɛ^{92}x_{1}^{5}x_{2}^{22}x_{3}^{12}} + {ɛ^{199}x_{1}^{5}x_{2}^{24}x_{3}^{12}} + {ɛ^{207}x_{1}^{11}x_{2}^{22}x_{3}^{12}}} \\ {ɛ^{165}x_{1}^{10}x_{2}^{28}{x_{3}^{12}.}} \end{matrix}} & {B(3)} \end{matrix}$

B. The Complexity of Paraunitary Asymmetric Cryptosystem

Below, complexities of the key generation are discussed, along with the encryption, and the decryption in the paraunitary asymmetric cryptosystem. Adding up the complexities listed in Table 1, it is concluded that the total complexity of the public-key generation is O(n³). The secret key consists of the paraunitary matrix P, the automorphism t, the unitary matrix A, and the constant vector b. By Table 1, the total complexity of generating these matrices and vectors is O(n²).

To compute the complexity of Algorithm 3 that is the encryption algorithm, it is noted that by Fact 9, the public polynomials ψ₁, . . . , ψ_(n+r) (entries of ψ) share the same set of monomials.

Let this set be {x^(α) ^(i) :α_(i)εZ_(≧0) ^(n), iε[M]} where MεIN is the cardinality of this set. Then,

${\varphi_{i}(x)} = {\sum\limits_{j = 1}^{M}{\psi_{ij}(x)}}$

where ψ_(ij)εF.

Thus, ψ(x) has the matrix formulation ψ(x)=ΨX where Ψ=[ψ_(ij)] is an (n+r)×M matrix and X=[x^(φ) ^(i) , . . . , x^(φ) ^(M) ]^(T) is a vector of length M. The complexity of computing ΨX is M(n+r). Since M=O(n) by Fact 9, the total complexity is O(n²). The complexity of evaluating the vector X at the plaintext block is O(n³) by Fact 10. Hence, the total complexity of the encryption is O(n³).

For the decryption, Algorithm 4 is employed. The complexity of computing v in this algorithm is O((n+r)²)=O(n²). Since by Fact 3 every entry of the paraunitary matrix P has constant number of monomials, the complexity of computing P^(T)(z₁ ⁻¹, . . . , z_(r) ⁻¹) in Algorithm 4 is O(n²). Using Fact 7, the complexity of computing the plaintext vector x in this algorithm is O(n²). Hence, the total complexity of the decryption is O(n²).

In summary, the complexity of paraunitary asymmetric cryptosystem in Table II. The complexity of HFE public-key scheme is also provided for comparison. The table shows that the computational complexity of the public-key generation and the decryption in the paraunitary asymmetric cryptosystem is lower than those in the HFE. It is worth mentioning that the complexities of encryption and decryption in RSA are both O(m³n³) for a block length of size mn bits. In Table II, m is the number of bits per field element.

TABLE II Public-key Secret-key generation generation Encryption Decryption PAC O(m²n³) O(m²n²) O(m²n³) O(m²n²) HFE O(m²n⁴) O(m²n²) O(m²n³) O(m²n²(m + logn))

Cryptanalysis of the Instance of the Paraunitary Asymmetric Cryptosystem

The entries of the vector polynomial ψ are the public information in paraunitary asymmetric cryptosystem. In order to attack this scheme, one approach is solving the system of polynomial equations y_(i)=ψ_(i)(x), iε[n+r], for x where y=(y₁, . . . , y_(n+r)) is the ciphertext. The other approach is finding the secret key from the public polynomials. Below, the vulnerability of paraunitary asymmetric cryptosystem to algebraic attacks initially developed for the HFE family is investigated. Some of these attacks are quite general and applicable on other schemes. The vulnerability of the paraunitary asymmetric cryptosystem for some bad choices of parameters is also investigated. These attacks follow one of the approaches mentioned above. Results show that the practical instance of the paraunitary asymmetric cryptosystem, discussed above, is resistant to all these attacks. Note that key exhaustive-search has the complexity |F|^(n)≧2¹²⁸ that is infeasible. Attacks studied include the Gröbner basis, univariate polynomial representation, relinearization, XL and FXL algorithms, and an attack for small r.

Since the public polynomials of HFE are homogenous, all attacks developed for HFE are specialized for homogenous polynomials. The public polynomials in paraunitary asymmetric cryptosystem are not homogenous. However, they can be converted into the homogenous form using a technique employed in algebraic geometry for going from the affine space to the projective space. Let θ_(i) be the total degree of the public polynomial ψ_(i) in the PAC, where iε[n+r]. Suppose θ=max{θ₁, . . . , θ_(n+r)}.

To convert the system of public polynomials into a system of homogenous polynomial equations, replace x_(i) by X_(i)/X₀ for all iε[n] and multiply through each equation by X₀ ^(θ).

The result is the following system of homogenous equations of degree θ that consists of n+r equations in n+1 variables X₀, . . . , X_(n)

$\begin{matrix} {{{X_{0}^{\theta}y_{i}} = {X_{0}^{\theta}{\psi_{i}\left( {\frac{X_{1}}{X_{0}},\ldots \mspace{11mu},\frac{X_{n}}{X_{0}}} \right)}}},{i \in {\left\lbrack {n + r} \right\rbrack.}}} & (26) \end{matrix}$

From Fact 10, it is noted that the total degree of the homogenous polynomials in this system is proportional to n, i.e., θ=O(n).

A. Gröbner Basis

Gröbner basis is the classical method for solving systems of polynomial equations. This technique can theoretically solve all systems of this kind. However, its complexity is exponential in the number of variables although there is no closed form formula for it. The complexity of computing a Gröbner basis for the public polynomials of the HFE is infeasible using the Buchberger's algorithm that is the classical algorithm for computing the Gröbner basis. However, it is completely feasible using the algorithm F₅ discussed by J. C. Faugere et al., in “Algebraic cryptalanalysis of hidden field equation (HFE) cryptosystems using Grobner bases,” in Adv. Cryptol.—CRYPTOL'03, vol. 2729, Lecture Notes in computer Science, pp. 44-60. The complexities of solving the public polynomials of several instances of the HFE using the algorithm F₅ are provided Faugere. The special form of the public polynomials in the HFE scheme makes it vulnerable to different attacks. In particular, it implies a relatively small upper bound on the degrees of the polynomials that occur during the Gröbner basis computation. Moreover, as expressed by Faugere, “A crucial point in the cryptanalysis of HFE is the ability to distinguish a random algebraic system from an algebraic system coming from HFE.” The public polynomials in the PAC are not homogenous. Moreover, they look random since they are derived from the general formula in equation (7) relating an arbitrary system of polynomial equations to PU matrices.

In order to apply the methods of Faugere to the paraunitary asymmetric cryptosystem, the system of homogenous polynomials in equation (26) is employed. However, the total degree of the resulting system is proportional to the number of variables n. It is explained by Faugere that in this case, there does not seem to exist a polynomial time algorithm to compute the Gröbner basis. Hence, solving the public polynomials of the paraunitary asymmetric cryptosystem using the Gröbner basis method is infeasible.

B. Univariate-Polynomial Representation of the Public Polynomials

This attack is based on the observation that any system of n multivariate polynomials in n variables over a field F can be represented as a single sparse univariate polynomial of a special form over an extension field K of degree n over F. This is summarized in the following lemma.

Lemma 2: Let f_(i)(x₁, . . . , x_(n)),iε[n] be any system of n multivariate polynomials in n variables over F with the cardinality q. Then, there are coefficients a₀, . . . a_(q) _(n) ⁻¹εK such that the system of polynomials is equivalent to the univariate polynomial

${F(x)} = {\sum\limits_{i = 0}^{q^{n - i}}{a_{i}{x^{i}.}}}$

The drawback of this approach is that the number of terms of the equivalent univariate representation FεK[x] is exponentially related to the number of variables. However, when the polynomials f_(i) are homogenous, which is the case in HFE, the polynomial F is sparse. This fact, stated in the following lemma, significantly enhances the attack on the HFE using univariate polynomial representation.

Lemma 3: Let C be any collection of n homogenous multivariate polynomials of degree θ in n variables over F. Then, the only powers of x that appear in the univariate polynomial representation F over K are sums of exactly θ (not necessarily distinct) powers of q, i.e., q^(i) ¹ + . . . +q^(i) ^(θ) . Hence, the number of nonzero terms and the degree of F are both O(n^(θ)).

To apply the above technique to solve the homogenous form of the public polynomials in the PAC in equation (26), recall that the degree of the homogenous polynomials θ is proportional to n. Hence, the degree and the number of nonzero terms of the univariate polynomial representation F are both O(n^(n)). The complexity of root finding algorithms, e.g., Berlekamp algorithm, is polynomial in the degree of the polynomial. This results in an exponential time algorithm to find the roots of F. Therefore, this approach is less efficient than the exhaustive search.

C. Relinearization, XL, and FXL Algorithms

These techniques, developed to attack the HFE family, are methods for solving highly overdefined systems of polynomial equations, i.e., systems consisting of εn² equations in n variables where ε>0. In this situation, the complexity of these algorithms is approximately n^(O(1/√{square root over (ε)})). However, when the number of equations is n+r for some 1≦r≦n, then these techniques are not efficient. In order to mount an attack on the HFE scheme using these methods, the equivalent univariate polynomial representation of the public polynomials are obtained using Lemma 2. By Lemma 3, it has the form G(x)=xGx ^(T) where G=[g_(ij)] and x=[x^(q) ⁰ , . . . , x^(q) ^(n−1) ]. It has been shown that the cryptanalyst can use this matrix representation to obtain a system of O(n²) polynomial equations in O(n) variables. The relinearization, XL, and FXL algorithms are used to solve this system. Since the homogenous form of the public polynomials of the PAC in equation (26) are not quadratic, their univariate polynomial representation is not quadratic. Hence, it does not have a matrix representation as G(x). Therefore, the attack developed by A. Kipnis et al., in “Cryptanalysis of the HFE public key cryptosystem by relinearization,” in Adv. Cryptol.—CRYPTO'99, 1999, vol. 1666, Lecture Notes in Computer Science, pp. 19-30 is not applicable on the PAC. However, the adversary may directly apply the relinearization, XL, or FXL algorithm, the system of homogenous polynomials in equation (26). In the following, it is shown that this approach is unsuccessful.

The relinearization technique is developed Kipnis for solving overdefined systems of homogenous quadratic polynomial equations. Unfortunately, it has been shown that the relinearization technique is not as efficient as one may expect since many of the newly generated equations are dependent. Hence, an extended relinearization (XL) algorithm was proposed by N. T. Courtois, et al., in “Efficient algorithms for solving overdefined systems of multivariate polynomial equations,” Adv. Cryptol.—EUROCRYPT'00, 2000, vol. 1807, Lecture Notes in Computer Science, pp. 392-407. It is claimed to be the best algorithm for highly overdefined systems of multivariate homogenous equations. Using the homogenous polynomials of equation (26), a system of n+r homogenous equations in n+1 variables are provided where 1≦r≦n. It has been that in this case, the XL has exponential complexity. Therefore, the XL algorithm cannot be directly used to mount an attack on the PAC.

A variant of the XL algorithm, called fixing and XL (FXL), was introduced by Courtois. In this algorithm, some variables are guessed to make the system slightly overdefined. Then, the XL algorithm is applied. The main question is how many variables must be guessed. Although more guesses make the system more unbalanced, they add to the complexity of the algorithm. The optimum number of guesses is provided by Courtois. Using this optimum value, the FXL has the exponential complexity for solving the system of public polynomials in PAC. Hence, the FXL algorithm can not be efficiently applied on the PAC.

D. An Attack for Small r

This attack is applicable on the PAC when r is small, specially r=0.1, and also when t=[t₁,K, t_(n)]^(T) in equation (12) is a tame automorphism of the form

t _(i)(x)=x _(i) +g _(i)(x ₁ , . . . , x _(i−1)), ∀iε[n]  (27)

where g_(i)εF[x₁, K, x_(i−1)]. The attack for r=1 is now briefly described. In this case, φ is a multivariate polynomial in x, denoted by φ(x), i.e.,

${\varphi (x)} = {{\gamma\left( {{\alpha \; x_{1}} + {\beta {\prod\limits_{i = 2}^{n}x_{i}^{a_{i}}}}} \right)}.}$

The adversary fixes x₁, . . . , x_(i−1) and computes the value of ψ for all x_(n)εF. There exists a subset D⊂F and a constant φ₀εF such that for all x_(n)εD, φ(x)=φ₀. The PU matrix becomes the constant matrix P(φ₀) over D. Because of the special structure of the automorphism t in equation (27), the values of the polynomials t₁, . . . , t_(n−1) do not change over D since they depend only on x₁, . . . , x_(n−1). The only polynomial that varies over D is t_(n). This implies that E={ψ(x):x_(n)εD} is a one-dimensional subspace of F^(n+1). Examination of E gives the value of the last column of P up to scaling.

In the next step, the adversary fixes x₁, . . . , x_(n−2) and computes the value of v for all (x_(n−2), x_(n))εF². Using a similar approach, the adversary can obtain some information about the next-to-the-last column of the PU matrix P. Repeating this process, the adversary is able to obtain useful information about the PU matrix.

This attack works for two reasons:

1. The variable x_(n) appears only in the last entry of the automorphism t. Hence, by fixing x₁, . . . , x_(n−1), the polynomials t₁, . . . , t_(n−1) become constant. The practical instance of the PAC, introduced above, does not have this problem. The automorphism t employed in the practical instance is the composition of two tame automorphisms t₁ and t₂ given in equations (24) and (25). By the special structure of these automorphisms, every variable appears in at least K entries of t.

2. In the example given here, F[φ(x)] has the lowest transcendental degree. To avoid such attacks, the value of r should not be small. In general, in order to find D, the adversary must examine the set F^(r) that has cardinality |F|^(r)=2^(8r). For the typical choice r=10, the size of this space is 2⁸⁰. Thus, finding D becomes infeasible for the adversary.

In summary, a framework was introduced to construct public-key cryptosystems using paraunitary (PU) matrices over finite fields. This framework evolves from relating general systems of multivariate polynomial equations to the paraunitary matrices. Using the general formula expressing this relationship, a practical trapdoor one-way function (OWF) has been designed. The difficulty of inverting the OWF is based on the NP-hard problem of solving systems of multivariate polynomial equations. A new public-key cryptosystem paraunitary antisymmetric cryptosystem has been disclosed based on the trapdoor OWF. To encrypt a message using PAC, public multivariate polynomials are evaluated at the message. Hence, comparing to other public-key cryptosystems such as RSA and ElGamal the encryption algorithm is efficient. A practically efficient instance of the paraunitary antisymmetric cryptosystem was described by making simplifications to the general description. The PU matrix used in the instance of paraunitary antisymmetric cryptosystem can be generated using fully-parameterized elementary building blocks. There are algorithms to efficiently generate these building blocks. Therefore, the key setup is fast and efficient in PAC which is another distinguishing feature of the scheme. By developing efficient realization of the instance of the paraunitary antisymmetric cryptosystem, it has been shown that the complexities of the public-key generation and the decryption in the paraunitary antisymmetric cryptosystem are lower than those in the HFE.

Multivariate Signatures

Disclosed below are details regarding techniques for generating multivariate signatures using algebraic techniques. More specifically, this involves an algebraic framework for designing trapdoor one-way functions with applications in multivariate signature schemes. The framework involves PU matrices (discussed above), which are a special subset of invertible polynomial-matrices. The algebraic framework is used to implement a paraunitary digital—signature scheme (PDSS).

In the disclosed approach, t is designed to be an arbitrary bijection over F^(n). The difficulty is that for any εF^(n), solving the equation y=P(x)t(x) for x requires knowledge of the value of {tilde over (P)}(x) at x that in turn requires the knowledge of x. To overcome this paradigm, an r-variate paraunitary matrix PεPU_(n)(F[z₁, . . . , z_(r)]) is used for some rεN with the restriction 1≦r≦n. This paraunitary matrix is composed with a polynomial vector φ(x,x′)ε(F[x,x′])^(r) where x′=(x′₁, . . . , x′_(r)). Let φ_(x′)(x) and φ_(x)(x′) denote the polynomial vector φ(x,x′) when x′ and x are fixed, respectively. The only restriction imposed on φ is that for any xεF^(n), the polynomial mapping ö_(x):F^(n+r)→F^(r) must be a bijection. In a single formula, the following mapping is used:

ψ:F^(n+r)→F^(n)

(x,x∝)→(P∘φ)(x,x′)t(x)

To prove that that this mapping satisfies all the properties required for a signature scheme, let yεF^(n) be an arbitrary vector. Randomly choose a vector z=(z₁, . . . , z_(r))εF^(r) such that z_(i)≠0 for all iε[r], and set ö(x, x′)=z. Since t is an efficiently invertible bijection, the value of x is uniquely obtained as x=t⁻¹({tilde over (P)}(z)y). In addition, uniquely obtain the value of x′ from the equation φ_(x)(x′)=z. Since this procedure is valid for all yεF^(n), the mapping ψ is surjective. Moreover, by the presented procedure, the value of x depends on the random choice for z. Hence, ψ is a many-to-one function that can be efficiently inverted.

The signature-generation algorithm of the PDSS is presented in Algorithm 5.

Algorithm 5: Sign INPUT: Message y ∈ F^(n) y ∈ F^(n) OUTPUT: Signature (x, x′) ∈ F^(n+r) 1. Randomly choose z = (z¹, ..., Z_(r)) ∈ F^(r) such that z_(i) ≠ 0 for all i ∈ [r], 2. x = t⁻¹({tilde over (P)}(z)y, x′ ← φ_(x) ⁻¹(z) 3. Return (x, x′)

For verification, the signature (x, x′) of the message y is accepted if y=ø(x, x′). Since the signature generation depends on the random choice for z, the PDSS is a non-deterministic scheme. This is a desirable feature that was not possible in the C* scheme and its variants. The verification algorithm of the PDSS consists only of evaluating the public polynomial-vector ψ at the signature. Since the polynomial evaluation can be performed very fast and efficient, the signature verification in the PDSS has the same properties. This feature makes the PDSS very attractive for many applications in which a message is signed only once, but verified many times. It is worth noting that the PDSS operates on any finite field F₂ _(m) with m≧2.

The key-generation algorithm of the PDSS is presented in Algorithm 6.

Algorithm 2: Key generation  INPUT: Master key k ∈ F^(n)  PUBLIC OUTPUT: Polynomial vector ø ∈ (F[x, x′])^(n)  SECRET OUTPUT: An r-variate paraunitary matrix P ∈ PU_(n)(F[z]), a vector polynomial in φ ∈ (F[x, x′])^(r), an automorphism t ∈ Aut(F[x]).

1. Generate an r-variate paraunitary matrix PεPU_(n)(F[z]) by multiplying elementary building blocks whose parameters are taken from the set K.

2. Using the vectors in K as coefficients, construct a vector polynomial φε(F[x,x′])^(r) with the following properties: (1) it must be invertible when xεF^(n) is fixed, and (2) it must be semi-invertible when x′εF^(r) is fixed.

3. Construct an automorphism tεAut(F[x]) using the vectors in K as coefficients.

4. Construct the vector polynomial (P∘φ)(x,x′)t(x).

The complexity of the PDSS is illustrated in Table III.

TABLE III Public-key Secret-key Signature Generation generation generation Verification PDSS O(m²n³) O(m²n²) O(m²n³) O(m²n³) HFE O(m²n⁴) O(m²n²) O(m²n²) O(m²n²)

Thus, cryptographic systems and methods that are based on paraunitary matrices have been disclosed. It is to be understood that the above-described embodiments are merely illustrative of some of the many specific embodiments that represent applications of the principles discussed above. Clearly, numerous and other arrangements can be readily devised by those skilled in the art without departing from the scope of the invention. 

1. A public-key cryptographic system comprising: apparatus for creating a paraunitary matrix over a field having characteristic two; apparatus for creating a polynomial vector whose entries are polynomials and which is a bijection; apparatus for creating a polynomial vector that is formed by multiplying the paraunitary matrix by the polynomial vector; apparatus for making the polynomial vector public; apparatus for encrypting plaintext information using the public polynomial vector; and apparatus for decrypting the encrypted plaintext information using the secret paraunitary matrix.
 2. The system recited in claim 1 wherein the field having characteristic two is a Galois field, GF(256).
 3. The system recited in claim 1 wherein the paraunitary matrix has the form: ${P(x)} = \begin{bmatrix} {p_{11}(x)} & \cdots & {p_{1n}(x)} \\ \vdots & ⋰ & \vdots \\ {p_{n\; 1}(x)} & \cdots & {p_{nn}(x)} \end{bmatrix}$ in which x represents n variables (x₁, . . . , x_(n)) and p_(ij)(x) are polynomials in n variables.
 4. A public-key cryptographic method comprising: defining a paraunitary matrix over a field having characteristic two; generating a plaintext vector x; masking the plaintext vector x by evaluating a bijective vector at x and multiplying the result by the paraunitary matrix evaluated at x.
 5. The method recited in claim 4 wherein the paraunitary matrix is derived by: multiplying a predetermined number of building blocks whose parameters are obtained from the plaintext vector and its bit permutations.
 6. A method comprising creating a paraunitary matrix, P(x), in n variables of the form: ${{P(x)} = \begin{bmatrix} {p_{11}(x)} & \cdots & {p_{1n}(x)} \\ \vdots & ⋰ & \vdots \\ {p_{n\; 1}(x)} & \cdots & {p_{nn}(x)} \end{bmatrix}};$ creating a polynomial vector t(x) whose entries are polynomials and which is a bijection; creating a polynomial vector φ_(A)(x) by multiplying the paraunitary matrix P(x) by the polynomial vector t(x); making the polynomial vector φ_(A)(x) public while keeping the paraunitary matrix P(x) secret; encrypting plaintext information using the public polynomial vector φ_(A)(x); transmitting the encrypted plaintext information to a site having the secret paraunitary matrix P(x); and decrypting the encrypted plaintext information using the secret paraunitary matrix P(x).
 7. A method of providing a digital signature comprising providing, at a first site, an encryption algorithm and a corresponding decryption algorithm; generating a hash of an electronic document that is to be signed; generating a signature for the electronic document at the first site by decrypting the hash using the decryption algorithm; transmitting the signature, the hash, and the encryption algorithm to a second site; and encrypting the transmitted signature at the second site and comparing the result with the hash to verify the signature.
 8. Apparatus for providing a digital signature comprising an encryption algorithm and a corresponding decryption algorithm; apparatus for generating a hash of an electronic document that is to be signed; apparatus for generating a signature for the electronic document by decrypting the hash using the decryption algorithm; apparatus for transmitting the signature, the hash, and the encryption algorithm; and apparatus for encrypting the transmitted signature and comparing the result with the hash to verify the signature. 